• Print

Our Hackable Democracy

Steve Marcus/Reuters
The Voting Machine Hacking Village at the Def Con hacker convention, Las Vegas, Nevada, July 29, 2017

The recent news that thirty electronic voting machines of five different types had been hacked for sport at the Def Con hackers’ conference in Las Vegas, some in a matter of minutes, should not have been news at all. Since computerized voting was introduced more than two decades ago, it has been shown again and again to have significant vulnerabilities that put a central tenet of American democracy—free and fair elections—at risk.

The Def Con hacks underscored this. So did the 2016 presidential election, in which the voter databases of at least twenty-one and possibly thirty-nine states, and one voting services vendor, came under attack from what were apparently Russian hackers. Last September, then-FBI Director James Comey vowed to get to the bottom of “just what mischief” Russia was up to, but, also sought to reassure lawmakers that our election system remained secure. “The vote system in the United States…is very, very hard for someone to hack into because it’s so clunky and dispersed,” Comey told the House Judiciary Committee. “It’s Mary and Fred putting a machine under the basketball hoop in the gym. These things are not connected to the Internet.”

Comey was only partially correct. Clunky and dispersed, American elections are run by the states through three thousand individual counties, each one of which is responsible for purchasing and operating the voting machines set up by Mary and Fred. But Comey missed a central fact about many of those machines: they run on proprietary, secret, black-box software that is not immune to hacking, as Def Con demonstrated. Additionally, the votes registered by touchscreen machines, some of which keep no paper record of their transactions, as well as ballots read by optical scanning machines—the two technologies most widely used at the moment—are typically counted by a central tabulator that is connected to the Internet. And these are just the most obvious weak points. As University of Michigan computer science professor J. Alex Halderman told the Senate Intelligence Committee last June:

A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters. … Before every election, voting machines need to be programmed with the design of the ballot, the races, and candidates. This programming is created on a desktop computer called an election management system, or EMS, and then transferred to voting machines using USB sticks or memory cards. These systems are generally run by county IT personnel or by private contractors. Unfortunately, election management systems are not adequately protected, and they are not always properly isolated from the Internet. Attackers who compromise an election management system can spread vote-stealing malware to large numbers of machines.

This, one imagines, is the sort of mischief the Russian hackers were exploring when they attempted to break into the email accounts of VR Systems, a Florida-based election-management company that provides services in eight states, including Illinois, New York, and California. Still, those hackers might have had even more opportunities if they had targeted SOE Software, another Florida election management company: it services nearly one third of the three thousand counties that run American elections, and all of its tabulation data is sent over the Internet, according to Bev Harris, the founder of the activist group Black Box Voting.

Harris was the subject of the Emmy-nominated 2006 documentary Hacking Democracy. In that film, we can see her accessing a file she found on the website of Diebold Election Systems, which at the time was one of the main suppliers of voting machines in the country, and with a few keystrokes, showing how simple it is to change a vote tally. “I call this ‘editing,’ not ‘hacking,’’’ Harris told me, “because it doesn’t take much to change the outcome.” (When she brought this vulnerability to the attention of Diebold, they threatened her with a lawsuit.) In the film, such “editing” is demonstrated more than a few times, using a variety of exploits, leading Dr. Hugh Thompson, who is currently the chief technology officer of the computer security firm Symantec, to express shock at how easily and invisibly an election could be compromised: “So imagine you could go into a box and essentially rewrite history and there’s no record of you rewriting history. And the only record of the thing itself is the history you changed.” (In the years since Hacking Democracy was made, Diebold’s subsidiary Premier Election Solutions was sold to Election Systems & Software, which is now the largest manufacturer of voting machines in the country, though many of the old Diebold machines are still in use and were purchased after these deficiencies were publicized. The leadership of ES&S, like Diebold before it, has deep ties to the Republican Party.)

Harris’s Black Box Voting website is, among many other things, a compendium of what can go wrong—and has gone wrong—since the introduction of computerized voting. This includes the time voters in Jefferson Parish, Louisiana, pressed a touchscreen for one candidate, which then registered a vote for her opponent; the time voters in Volusia County, Florida, who selected presidential candidate Al Gore had their votes subtracted, not added, to his total; and the time an aide to a United States congressman was implicated in a scheme to hack into the election system to obtain thousands of absentee ballots.

Absentee and mail-in ballots are especially vulnerable. The signatures on them are verified by a digital image file that can be modified; they are sent through automated optical scanners that may not read them correctly—if, for example, they are crooked when they enter the machine; and they are then counted by a centralized, Internet-connected machine, all the while passing through many hands with little oversight. Harris calls this a “chain of custody” vulnerability and points out that it—along with voter registration lists, voter history files, and tabulation hardware and software—is one of the routes by which hackers have been known to infiltrate the system or could find their way into it in the future. The hackers who were rooting around in the election systems of those twenty-one or thirty-nine states last year, for instance, were especially interested in voter rolls. Whether they wanted those files to shore up the databases of Donald Trump’s digital team, to eliminate voters who were not likely to support Trump, to seed doubt about the integrity of American democracy, or some other purpose, is not yet clear. Nor will it be. “Do we know the magnitude of election tampering right now?” a computer-security researcher and professor at the University of Pennsylvania named Matt Blaze asked an audience at Def Con. He then answered his own question: We do not. “There are no procedures to permit forensics after an election,” he added, so none was done.

Steve Marcus/Reuters
The motherboard of a disassembled voting machine at the Def Con hacker convention, Las Vegas, July 29, 2017

A year ago, shortly after The New York Times reported that the director of the Department of Homeland Security, Jeh Johnson, was considering designating the electoral system part of America’s “critical infrastructure” in an effort to shore up its cybersecurity, a number of Republican leaders, as well as local election officials, protested. Most echoed the sentiments of Hans von Spakovsky, a senior fellow at the conservative Heritage Foundation, who saw it as “a way for the administration to get Justice Department lawyers, the FBI, and DHS staff into polling places they would otherwise have no legal right to access, which would enable them to interfere with election administration procedures around the country.”

This is the sort of interference, of course, that hackers themselves aim to do. But von Spakovsky, who is now a member of the Pence-Kobach committee looking into so-called “illegal voting,” which, among other things, is demanding that states provide it with their voting registries, scoffed at this. There is “no credible threat of a successful cyber-attack,” on the election system, he wrote, implying that those seeking the critical infrastructure designation were hysterical at best and nefarious at worst. 

We know now that even before the Heritage Foundation published this piece, hackers were attempting to penetrate state voting registries, and files stolen from Democratic National Committee and the Democratic Congressional Campaign Committee had been passed along to Wikileaks and DC Leaks, which posted them online. We also know that in the weeks and months leading up to the election, thirty-three states and thirty-six local governments requested cybersecurity audits from the DHS. They, clearly, were concerned.

In January, a few weeks before leaving office, when the scope of Russian interference in the election was becoming clear to the American public, if not to its recently elected president,  Johnson did make the critical infrastructure designation. Unfortunately, it turns out to be fairly toothless. While it enables states and municipalities to request threat assessments of their systems by the Department of Homeland Security, it’s up to those state and county authorities to fix the vulnerabilities that are uncovered. Yet many of the vulnerabilities that affect the election system lie outside their sphere of influence. It’s absurd to expect Comey’s hypothetical Marys and Freds to override the proprietary software running many voting machines, especially when doing so may be a criminal offense. Indeed, this fails to take into account that much of the American election system is a commercial enterprise, run for profit, outside the purview of even the local folk tasked with running our elections, let alone that of average citizens.

At the moment, about a quarter of voting machines do not keep a paper record of votes cast. Five states are completely paperless, while fourteen are partially paperless, and either way a meaningful statewide audit is impossible. As Barbara Simons, the president of the non-partisan group Verified Voting, pointed out to me in an email, “Some [of the 14], such as Pennsylvania, are critical swing states. Eighty percent of Pennsylvania voters are still stuck with unreliable, insecure, ancient, paperless voting machines, making Pennsylvania a prime target for mischief.”

Still, having a paper trail does not guarantee that the machines themselves have not been hacked, especially if they continue to run on proprietary software. As former CIA director R. James Woolsey and technologist Brian J. Fox argued recently in The New York Times, those software systems should be replaced by open-source software that can be tested, openly and honestly, for glitches and other anomalies. Not surprisingly, there has been significant resistance from both Microsoft, on whose platform these systems are based, and the companies that make and test voting software.

And having paper ballots will be meaningless if more states follow the lead of Washington and New Hampshire, which have made it illegal for the public to look at them. Or, consider Virginia, a state that is partially paperless (and thus incapable of verification), where state law prohibits an audit until after the election has been certified and no one has initiated a recount. Colorado, on the other hand, has made voting records part of the public record. According to Halderman, the computer science professor who testified before the Senate Intelligence Committee last June, only it and New Mexico have laws on the books that enable rigorous enough audits of the outcome of elections to result in high confidence.

Most laws governing elections were written before computerization and presume ballots will be cast on paper and counted by hand. Ironically, we could make computerized elections more secure by codifying that assumption and requiring both a paper trail and an auditing system that shows, with near perfect confidence, that the outcome on the paper ballots matches the result on the computer. Granted, this won’t stop hackers from exploiting other aspects of the election system. It won’t prevent email phishing, which is how hackers made their way into VR Systems and might have been able to worm into voter registration databases; in light of the Department of Justice’s newfound support of states that purge voters who have not voted in a while, voter histories, which can be surreptitiously altered, make better targets than ever. Moreover, it doesn’t address weaknesses in the chain of custody, and it still leaves much of the system in the hands of IT contractors and commercial vendors, themselves vulnerable to corporate pressures and malfeasance.

But shoring up these, in many cases, is a matter of more robust oversight, not of technology. Citizens could demand of their local officials that the companies they hire to service our elections be more transparent and secure. As Comey told Congress the day he testified before the House Judiciary Committee, the hackers will be back. Best that we don’t continue to hold the door open for them.